Secret Questions Can Be Easy to Break

Personal knowledge questions (a/k/a
“secret questions” or “challenge questions,” among other names) are supposed to
help protect your online information and accounts. The theory is that the
answers to these questions stay in your head (and nobody else’s) longer than
passwords.

But a recent study, “Secrets, Lies,
and Account Recovery: Lessons from the Use of Personal Knowledge Questions at
Google,” reveals that these questions may in fact be weak safeguards. Taking a
deep dive into how and why people choose the answers they choose—and how well
they recall their own answers—two researchers at Google examined the first
large real-world data set on the security and memorability of personal
knowledge questions from their use at Google.

Attacks against secret questions
are a real risk for a host of reasons. First, many users share common answers. In
a single guess, an attacker stands a 19.7% chance of guessing English-speaking
users’ answers for the question “Favorite food?” Also with a single guess, an
attacker has a 3.8% chance at guessing Spanish-speaking users’ answers for “Father’s
middle name?”

Questions that are more secure have
worse recall than unsafe questions: their answers are simply harder to
remember. For the English-speaking population, the question “Father’s middle
name?” had a success rate of 76% overall; the potentially safer question—because
it would be harder to guess correctly— “First phone number?” had a 55% recall. And
the potentially safest questions of all have abysmal recall: “Library card
number?” has a 22% recall and “Frequent flyer number?” has only a 9% recall.

The harder to remember, the worse
the recall for a security question to get the password prompt from a website
login. So choose “father’s middle name”—not “frequent flyer number.”

Among the findings:

The ability to remember an answer
decreases significantly over time. The success rate for “Favorite food?” was
74% after a month, but dipped to 53% after three months. A year later, it was
barely 47%.

Questions that are supposedly more
secure because of the expectation that each user has a different answer can
fail because people sometimes deliberately provide untruthful answers. They
give untruthful answers to secret questions either to make the answer harder to
guess (37% of the 1,500 respondents) or easier to remember (15%). Ironically, it
does neither.

Nearly all questions are
potentially vulnerable to trawling attacks, where an attacker makes a few
guesses of common answers for a large number of accounts in hopes of compromising
a significant number of random accounts.